lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMB2axNqfBpneVc9unn7S65Ewb1u6EpLudjtiq00-sqbfnSY7w@mail.gmail.com>
Date: Fri, 11 Apr 2025 09:58:52 -0700
From: Amery Hung <ameryhung@...il.com>
To: Kumar Kartikeya Dwivedi <memxor@...il.com>
Cc: bpf@...r.kernel.org, netdev@...r.kernel.org, alexei.starovoitov@...il.com, 
	andrii@...nel.org, daniel@...earbox.net, edumazet@...gle.com, kuba@...nel.org, 
	xiyou.wangcong@...il.com, jhs@...atatu.com, martin.lau@...nel.org, 
	jiri@...nulli.us, stfomichev@...il.com, toke@...hat.com, sinquersw@...il.com, 
	ekarani.silvestre@....ufcg.edu.br, yangpeihao@...u.edu.cn, 
	yepeilin.cs@...il.com, kernel-team@...a.com
Subject: Re: [PATCH bpf-next v7 03/10] bpf: net_sched: Add basic bpf qdisc kfuncs

On Fri, Apr 11, 2025 at 6:32 AM Kumar Kartikeya Dwivedi
<memxor@...il.com> wrote:
>
> On Wed, 9 Apr 2025 at 23:46, Amery Hung <ameryhung@...il.com> wrote:
> >
> > From: Amery Hung <amery.hung@...edance.com>
> >
> > Add basic kfuncs for working on skb in qdisc.
> >
> > Both bpf_qdisc_skb_drop() and bpf_kfree_skb() can be used to release
> > a reference to an skb. However, bpf_qdisc_skb_drop() can only be called
> > in .enqueue where a to_free skb list is available from kernel to defer
> > the release. bpf_kfree_skb() should be used elsewhere. It is also used
> > in bpf_obj_free_fields() when cleaning up skb in maps and collections.
> >
> > bpf_skb_get_hash() returns the flow hash of an skb, which can be used
> > to build flow-based queueing algorithms.
> >
> > Finally, allow users to create read-only dynptr via bpf_dynptr_from_skb().
> >
> > Signed-off-by: Amery Hung <amery.hung@...edance.com>
> > Acked-by: Toke Høiland-Jørgensen <toke@...hat.com>
> > ---
>
> How do we prevent UAF when dynptr is accessed after bpf_kfree_skb?
>

Good question...

Maybe we can add a ref_obj_id field to bpf_reg_state->dynptr to track
the ref_obj_id of the object underlying a dynptr?

Then, in release_reference(), in addition to finding ref_obj_id in
registers, verifier will also search stack slots and invalidate all
dynptrs with the ref_obj_id.

Does this sound like a feasible solution?

> >  [...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ